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EXCERPT 


Worldwide Security and Vulnerability Management 2010- 


2014 Forecast and 2009 Vendor Shares 


Charles J. Kolodgy 


IN THIS EXCERPT 


In this excerpt IDC examines the security and vulnerability management market for 
the 2009-2014 period, with vendor revenue trends and market growth forecasts. 
Worldwide market sizes and vendor revenue and market shares of the leading 
vendors are provided for 2009, and a five-year growth forecast for this market is 
shown for 2010-2014. This excerpt concludes with market trends and IDC guidance 
for future success. 


IDC OPINION 


2009 wasn't a very good year for most organizations as the world was recovering 
from recession. Even as worldwide economic growth and IT spending were primarily 
flat, enterprises and organizations continued to deploy technologies to improve their 
management of security operations. To respond to increasing threats and 
government regulatory oversight, organizations turned to security and vulnerability 
management (SVM) solutions to provide the intelligence and management tools that 
can make security more effective, in terms of cost and security. The SVM market 
provides a window into an organization's risk posture and allows for that risk position 
to be monitored and improved. Security and vulnerability management market 
revenue grew at a rate of 9.2% in 2009. This was down from the 17% in 2008 but 
considerably higher than the rate forecast. Revenue in the market was $2.9 billion in 
2009 compared with $2.6 billion in 2008. IDC believes the SVM market will remain on 
a positive growth trajectory in 2010, with revenue anticipated to be $3.2 billion, which 
is a 9.8% increase. By the end of the forecast period (2014), the market should 
exceed revenue of $5.2 billion with a climbing annual growth rate, resulting in a 
compound annual growth rate of (CAGR) of 12.4%. Highlights are as follows: 


The growing body of disclosure law governing security breaches and data loss 
incidents will result in ever-increasing usage of products that can create and 
enforce security policy and provide information required by auditors. It also 
requires that products that aggregate data and event management have the 
ability to identify and remediate internal threats based on user privileges. 


Security consists of products, people, and policy. SVM vendors are able to 
provide many policy solutions, which are used to supplement and validate other 
security defenses. 


The SVM market continues to be extremely diverse with no vendor having even 
an 8% share. IDC does not see this market becoming one dominated by a few 
players, so IDC would not expect any one company to exceed 12% in market 
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share during this period. The market is too diverse for such a consolidation even 
following the high number of acquisitions that have been occurring in the market. 


SVM products will continue to benefit from increasing government regulations. To 
maintain compliance, vendors will require products that can automate 
compliance functions. 


SITUATION OVERVIEW 


Security and Vulnerability Management 
Market in 2009 


Products that fall within the security and vulnerability management market remain in 
high demand. The SVM market covers a wide area of solutions that are designed to 
provide the brains of the security organization. Organizations are looking for solutions 
to proactively mitigate risk, handle establishing and auditing security policy, 
consolidate risk management information, and, ultimately, provide some security 
peace of mind. As a result, the market had a 9.2% growth rate in 2009 compared with 
2008's results. The total market in 2009 was $2.9 billion. With over 60 named 
vendors, even following all of the mergers and acquisitions (M&A) activity, the SVM 
market is large and competitive. Unlike some other security markets that are 
dominated by a handful of vendors, the leading vendors in this space do not exceed 
8% market share. Interestingly, it takes 15 different vendors to accumulate 52.3% of 
the total market. This is up one vendor from what was required in 2008 to reach the 
same number. 


To illustrate the complexity and competitiveness of this market, Table 1 provides a 
collection of top 25 vendors and their products as they fit into the market 
subcategories. Please understand this is a representative list and does not include 
every product. 
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TABLE 1 


Representative SVM Vendor Products for Top 25 Vendors 


Company 


ArcSight 
(bought by HP) 


CA Technologies 


Check Point 


Cisco 


EMC 


Enterasys Networks 


Fujitsu 


GFI 


Guidance Software 
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Security Intelligence 


Proactive Endpoint Forensics and Incident and Event Security Device Vulnerability 
Risk Management Investigation Policy and Compliance | Management Systems Management | Assessment 


ArcSight Enterprise 
Security Manager; 
ArcSight Express 


LB Security CA Enterprise Log CA Configuration 
LEE Manager Manager Automation 


SmartEvent; SmartProvisioning; 
SmartReporter Network Policy 


Management 


Adaptive Security 
Device Manager; IPS 
Manager Express 


enVision EMC lonix enVision 
Configuration Analytics 
Manager 
Enterasys Security Enterasys NMS 
Information and Event | Inventory Manager; 
Manager; Enterasys Enterasys NMS 
NMS Automated Console 
Security Manager 
Systemwalker Desktop | glovia G2 Audit CentraSite; glovia G2 ServerView Interstage Software 
Patrol Manager; ETERNUS Security Manager Quality Analyzer 
AS500 Archive 
Storage 


GFI EndPointSecurity DL GFI Network Server GFI EventsManager NEN GFI LANguard 
Monitor 
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TABLE 1 


Representative SVM Vendor Products for Top 25 Vendors 


Company 


HP 


IBM 


Imperva 


LogLogic 


Lumension Security 


McAfee 


Proactive Endpoint 
Risk Management 


Proventia Desktop; 
IBM-BigFix; Guardium 
Configuration Audit 
System for Database 
Servers 


Lumension Patch and 
Remediation; 
Lumension Security 
Configuration 
Management; 


Lumension Application 


Control 


McAfee Total 
Protection for 


Compliance; McAfee 
Configuration Control 


Forensics and Incident 


LogLogic Open Log 
Management platform 


Policy and Compliance 


Tivoli Security 
Compliance Manager; 
Tivoli Security Policy 
Manager; Guardium 
Database Activity 
Monitoring 


SecureSphere 
Database Activity 
Monitoring; File 
Activity Monitoring 


Policy Auditor; ePolicy 
Orchestrator; Risk 


Advisor 
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Security Intelligence 


and Event 
Management 


Tivoli Security 
Information and Event 
Manager 


LogLogic Security 
Event Manager 


Security Device 
Systems Management 


Vulnerability 
Assessment 


Assessment 
Management Platform 
(AMP); WeblInspect, 
Devinspect, QAlnspect 


Proventia Network 
Enterprise Scanner; 
Rational AppScan; 
zSecure Audit; 
Guardium Database 
Vulnerability 
Assessment 


SecureSphere 
Discovery and 
Assessment Server 


Lumension Scan; 
Lumension Risk 
Manager 


Vulnerability Manager 
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TABLE 1 


Representative SVM Vendor Products for Top 25 Vendors 


Security Intelligence 


Proactive Endpoint Forensics and Incident 
Company Risk Management Investigation Policy and Compliance 


Microsoft Windows Server Systems Center 
Update Services Configuration Manager 


NetlQ VigilEnt Policy Center NetIQ Security 
Manager; NetIQ Aegis 


NKSUN Nation DS 


and Event Security Device Vulnerability 
Management Systems Management | Assessment 


Baseline Security 
Analyzer; SCCM 
Vulnerability 
Assessment 
Configuration Pack 


NetlQ Secure 
Configuration Manager 


Novell ZENworks Endpoint Sentinel 
Security Management; 
ZENworks Patch 
Management 


Qualys Po QualysGuard Suite 
SecureWorks 


ris 
NetChk Protect 


Shavlik Technologies | Shavlik NetChk 
Configure, Shavlik 
Security Suite 


Symantec Corp. Symantec Critical 
System Protection; 


Control Compliance Security Information Risk Automation Suite 
Suite; Altiris Manager; DeepSight 


Altiris Client 
Management Suite 


Tripwire Inc. Tripwire Enterprise —— Tripwire Enterprise Tripwire Log Center MM 


Source: IDC, 2010 
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Performance of Leading Vendors in 2009 


The leading vendors for 2009 are pulled from both the security management and the 
vulnerability assessment ranks. Refer to Table 2 for the worldwide SVM revenue and 
market shares. Top vendors include: 


IBM is the leader of the market, being the only vendor to exceed $200 million in 
vendor revenue. Its revenue grew 2.1% in 2009 compared with 2008, capturing a 
7.4% share of this market. 


Symantec had revenue of $195 million in 2009, which is an increase of 5.4% 
compared with its 2008 revenue. It has a 6.8% share of the market. 


ArcSight, which was purchased by HP in 2010, continued to be a growth leader, 
with revenue growth of 31% in 2009. Its revenue was $165.4 million, which is 
also a 5.8% market share. 


NetIQ, an Attachmate business, was recorded as the fourth-largest SVM vendor 
in 2009, with a 4.7% market share on $136.4 million in revenue. 


EMC moved into the fifth-place position because of its 20.6% revenue growth in 
2009. Revenue for the year was $96.4 million for a market share of 3.4%. 


Table 4 displays 2009 worldwide revenue and market shares for vulnerability 
assessment vendors. 


Figure 6 displays 2009 market shares for the top 5 device vulnerability assessment 
vendors and application vulnerability assessment vendors, respectively. 


TABLE 2 


Worldwide Security and Vulnerability Management Revenue by Vendor, 2008 


and 2009 ($M) 

ArcSight (bought by HP) 31.0 
EMC 80.0 96.4 20.6 
Cisco 95.0 94.4 -0.7 
McAfee 72.0 93.2 29.4 
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TABLE 2 


Worldwide Security and Vulnerability Management Revenue by Vendor, 


and 2009 ($M) 


Microsoft 
Lumension Security 
Guidance 
Enterasys Networks 
Tripwire Inc. 

Qualys 

Imperva 

QiLabs 

Shavlik 

LogLogic 

NIKSUN 

HP 

GFI 

Fujitsu 

Check Point 
SecureWorks 
Novell 

CA Technologies 
Hitachi 

Archer Technologies (bought by EMC) 
Sun Microsystems (bought by Oracle) 
SenSage 
Application Security 


LANDesk 
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2008 


2008 2009 2009 Share (%) | 2008-2009 Growth (%) 
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TABLE 2 


Worldwide Security and Vulnerability Management Revenue by Vendor, 2008 


and 2009 ($M) 

BigFix (bought by IBM) 23.5 22.5 TEC -4.2 
nCircle 18.1 21.9 8 21.0 
Klocwork 18.8 21.0 11.5 
Core Security 15.6 20.0 28.5 
NetWitness 80 | 19.7 118.9 
Fortify (bought by HP) 14.8 19.5 32.2 
netForensics 25.0 19.5 -22.0 
Vanguard Integrity Professionals 15.0 18.0 08 20.0 
Cenzic 12.5 18.0 | 98 | 44.2 
Tenable Network Security 18.0 08 197.5 
Intellitactics (bought by Trustwave) 18.0 17.2 0098 -4.4 
NitroSecurity 16.8 mE 90.9 
Skybox Security 11.9 14.4 21.0 
StillSecure 10.0 14.0 40.0 
NEC 11.7 13.1 11.4 
Secunia 11.9 57.7 
Secerno (bought by Oracle) 10.0 100.0 
Beyond Security 11.5 Oo w| s) -21.7 
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TABLE 2 


Worldwide Security and Vulnerability Management Revenue by Vendor, 2008 


and 2009 ($M) 


VeriSign Inc. 

CSC 

KACE Networks (bought by Dell) 
Veracode 

WhiteHat 

Layer 7 Technologies 
RedSeal 

MANDIANT 
Intrusion.com 

Solera Networks 
Blue Lance 

Subtotal 

Other 


Total 


Source: IDC, 2010 


2008 2009 2009 Share (%) | 2008-2009 Growth (%) 
: 


TABLE 4 


Worldwide Vulnerability Assessment Revenue by Vendor, 2009 ($M) 


IBM 
Qualys 
HP 


McAfee 
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Revenue ($M) Share (%) 

74.3 10.7 

57.6 8.3 

34.5 5.0 

32.3 4.7 
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TABLE 4 


Worldwide Vulnerability Assessment Revenue by Vendor, 2009 ($M) 


Revenue ($M) 
NetIQ 
Symantec 
Imperva 
Microsoft 
GFI 
nCircle 
Klocwork 
Core Security 
Fortify 
Cenzic 
Lumension Security 
Tenable Network Security 
StillSecure 
Secunia 
Application Security 
Rapid7 


Shavlik 


D») 


Beyond Security 


eEye 

CA Technologies 7.4 
CSC 

BigFix (bought by IBM) 7 
Veracode 4 
WhiteHat 

LANDesk 8 


g D D D x : £o = = = m» D N £o Led e = It D N e e N 
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Share (%) 
3.9 
3.7 
3.4 
3.3 
3.2 
3.2 
3.0 
2.9 
2.8 
2.6 
2.6 
2.3 
1.8 
1.7 
1.7 
1.6 
1.3 
1.3 
1.2 
1.1 
1.0 
1.0 
0.9 
0.9 


0.8 
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TABLE 4 


Worldwide Vulnerability Assessment Revenue by Vendor, 2009 ($M) 


Vanguard Integrity Professionals 


Secerno (bought by Oracle) 


Fujitsu 
Blue Lance 
Subtotal 
Other 


Total 


Source: IDC, 2010 


Revenue ($M) 


C1 


e 


P 


578.9 


113.1 


e ca A B 
P 


Share (%) 
0.7 

0.6 

0.5 

0.1 

83.7 

16.3 


100.0 


FIGURE 6 


Worldwide Device Vulnerability Assessment Revenue Share by 
Vendor, 2009 


Source: IDC, 2010 
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Qualys (14.2%) 


NetlQ (7.0%) 


McAfee (6.9%) 
Other (60.9%) GFI (5.5%) 


nCircle (5.5%) 


Total = $398.3M 


#225988 


11 


FUTURE OUTLOOK 


Forecast and Assumptions 


Worldwide revenue for the SVM market reached $2.9 billion in 2009, representing 
9.2% growth over 2008. IDC currently forecasts that the SVM market will increase at 
a 12.4% CAGR and reach $5.2 billion in 2014, as shown in Table 5. 


Figure 8 provides a visual illustration of the growth rates associated with the security 
and vulnerability management submarkets. 


Figure 9 illustrates the revenue attributed to three regions — Americas; Europe, the 
Middle East, and Africa (EMEA); and Asia. 


For this document, IDC is estimating the SVM forecast based on how the products 
will be delivered to the customer. The delivery platforms are software, hardware, 
virtualized, and software as a service (SaaS). Hardware generally represents 
appliances that are used for many of the submarkets. The most pronounced use of 
appliances is in the SIEM market where many products can now store logs. For 
virtualization, this delivery mechanism is for software appliances and products that 
reside on a hypervisor. The greatest use of SaaS is in the vulnerability assessment 
market but it is growing in usage in many markets including policy and compliance, 
SIEM, and PERM. Table 6 provides worldwide security and vulnerability management 
revenue forecast by platform. 


The forecasts are based on the assumptions listed in Table 7. 


TABLE 5 


Worldwide Security and Vulnerability Management Revenue by Segment, 


2008-2014 ($M) 
2009-2014 
2008 2009 2010 2011 2012 2013 2014 | CAGR (%) 


Security intelligence and 636.4 826.2 | 1,033.8 | 1,278.0 | 1,560.8 | 1,872.5 | 2,227.8 21.9 
event management 

Proactive endpoint risk 367.7 384.5 399.1 424.2 455.2 500.3 556.1 7.7 
management 


Forensics and incident 104.9 142.0 172.7 203.3 234.8 267.2 298.3 16.0 
investigation 
Policy and compliance EZ 7 EJ 1 597.7 663.0 732.4 EH 3 E 9 10.4 


Security device systems 349.9 295.1 263.6 245.6 232.1 223.9 221.6 -5.6 
management 
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TABLE 5 


Worldwide Security and Vulnerability Management Revenue by Segment, 


2008-2014 ($M) 
ale e e e eE 
2008 2009 2010 2011 2012 2013 2014 | CAGR (%) 
Subtotal 1 odes 6| 2, p 9 pn 668.3 | 4, (AMAT 7 13.9 
Vulnerability assessment || | | ft [| 


Note: See Table 7 for key forecast assumptions. 


Source: IDC, 2010 


FIGURE 8 


Worldwide Security and Vulnerability Management Revenue Growth by 
Segment, 2008-2014 


2008 2009 2010 2011 2012 2013 2014 


—*— Security intelligence and event management 
— Proactive endpoint risk management 

—k- Forensics and incident investigation 

—@—Policy and compliance 

—$— Security device systems management 


Source: IDC, 2010 
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TABLE 6 


Worldwide Security and Vulnerability Management Revenue by Platform, 
2008-2014 ($M) 


2008 2009 2010 2011 2012 2013 2014 CAGR (%) 


Source: IDC, 2010 


ESSENTIAL GUIDANCE 


Security is a value-add, not just a necessary evil or the purview of the paranoid. 
Companies understand that their systems, storage operations, network connectivity, 
and endpoints need to be inherently secure. Customers demand security 
management that is well integrated with the IT infrastructure, effective, usable, and 
affordable. Security and vulnerability management is very important to meeting risk 
management goals because it provides policy and compliance context, vulnerability 
information, remediation, and, ultimately, a comprehensive view of enterprise risk 
management. It offers organizations better ways to cost effectively provide risk 
management and automate the rising cost of compliance activities. SVM solutions 
can simplify the complexity associated with managing multiple security solutions while 
at the same time increasing the automation, effectiveness, and proactive nature of 
security. Vendors are growing the capabilities to provide comprehensive coverage 
within their security management offerings. The key to success in this space will be 
the ability to provide proactive security protection and the knowledge and intelligence 
to provide comprehensive security assessment data. 


IDC believes vendors should develop tools that bring together event records, 
efficiently prioritize incidents, separate real security violations from false alarms, and 
aggregate security events from different locations, devices, and manufacturers. 
Moreover, vulnerabilities must be viewed as part of an overall security management 
infrastructure that takes into account security policy, compliance, and risk 
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management. SVM solutions should tell the enterprise why the vulnerability is a 
concern, its risk ranking, and how to remediate. SVM offerings must be able to 
provide a more aggressive, positive security model and not just respond to events in 
a chaotic manner. In many cases, SVM solutions, especially in the proactive endpoint 
risk management category, are moving to the point where the product will 
automatically remediate any security problems that should develop. Over time, SVM 
vendors need to combine their SVM agent with their own endpoint security solutions 
to provide all endpoint security capabilities, or the SVM vendor will need to partner 
with an endpoint security vendor that does not have SVM capabilities itself. 


Going forward, for the SVM market to maintain its strong growth rates, vendors must 
continue to make security smart. This includes providing proper policy management 
to automatically enforce the security policy. IDC sees the PERM market as a market 
that can bring considerable positive security value to enterprises. Another area where 
SVM makes security smart is in the SIEM market, where an ever-growing set of 
security data has to be processed to find the critical information among a huge set of 
data and to put that intelligence into its proper context. The SIEM market is important 
for providing audit information and ensuring proper utilization of security technologies. 
IDC also believes that vulnerability scanning, be it device or application based, white 
box or black box, credential or hacker view, provides critical information that allows 
organizations to adjust their security position to meet real security threats. IDC 
believes that products that can do real-time penetration testing will see considerable 
success over the next few years because they can pinpoint specific security gaps. 


One area for the SVM market that has been underutilized is for solutions that handle 
small to medium-sized businesses. This group has been overlooked because the cost 
associated with vulnerability assessment and other SVM segments has been high in 
terms of both direct cost and overhead. However, as government requirements for 
security and privacy proliferate, all-sized organizations are beginning to be concerned 
about their ability to measure their compliance with security requirements. As these 
companies expand their use of additional security products and services, they will 
also be looking for ways to measure their risk. Vendors that can provide small and 
medium-sized enterprises with simple, easy-to-use, and affordable products for policy 
compliance and risk management should have considerable success. 
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